#1 - Testers: Many vs. Few
#2 - Coverage: Ongoing vs. Point-in-Time
#3 - Model & Results:
Canvas Case Study:
How do bug bounties actually pan out?
Throughout this talk, Wade walks us through the process of scoping, implementing, learning from and iterating upon their bounty program. In 2014 they launched their first On-Demand bounty program which they swapped in for their annual security audit. Since then, Canvas has engaged with the crowd on a time-boxed and continuous basis.
The results speak for themselves.